17 July 2018

The nation's top voting machine maker has admitted in a letter to a
federal lawmaker that the company installed remote-access software on
election-management systems it sold over a period of six years, raising
questions about the security of those systems and the integrity of
elections that were conducted with them.

In a letter sent to Sen.
Ron Wyden (D-OR) in April and obtained recently by Motherboard,
Election Systems and Software acknowledged that it had "provided
pcAnywhere remote connection software … to a small number of customers
between 2000 and 2006," which was installed on the election-management
system ES&S sold them.

The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times
in February. At that time, a spokesperson said ES&S had never
installed pcAnywhere on any election system it sold. "None of the
employees, … including long-tenured employees, has any knowledge that
our voting systems have ever been sold with remote-access software," the
spokesperson said.

ES&S did not respond on Monday to
questions from Motherboard, and it’s not clear why the company changed
its response between February and April. Lawmakers, however, have
subpoena powers that can compel a company to hand over documents or
provide sworn testimony on a matter lawmakers are investigating, and a
statement made to lawmakers that is later proven false can have greater
consequence for a company than one made to reporters...

ES&S is the top voting machine maker in the country, a position it
held in the years 2000-2006 when it was installing pcAnywhere on its
systems. The company's machines were used statewide in a number of
states, and at least 60 percent of ballots cast in the US in 2006 were
tabulated on ES&S election-management systems...

Election-management systems are not the voting terminals that voters use
to cast their ballots, but are just as critical: they sit in county
election offices and contain software that in some counties is used to
program all the voting machines used in the county; the systems also
tabulate final results aggregated from voting machines...

But election-management systems and voting machines are supposed to be
air-gapped for security reasons—that is, disconnected from the internet
and from any other systems that are connected to the internet. ES&S
customers who had pcAnywhere installed also had modems on their
election-management systems so ES&S technicians could dial into the
systems and use the software to troubleshoot, thereby creating a
potential port of entry for hackers as well...

Wyden told Motherboard that installing remote-access software and
modems on election equipment “is the worst decision for security short
of leaving ballot boxes on a Moscow street corner.”
In 2006, the same period when ES&S says it was still installing pcAnywhere on election systems, hackers stole the source code for the pcAnyhere software,
though the public didn’t learn of this until years later in 2012 when a
hacker posted some of the source code online, forcing Symantec, the
distributor of pcAnywhere, to admit that it had been stolen years
earlier...

He notes that election officials who purchased the systems likely
were not aware of the potential risks they were taking in allowing this
and didn’t understand the threat landscape to make intelligent decisions
about installing such software.

All of this raises questions
about how many counties across the US had remote-access software
installed—in addition to ES&S customers—and whether intruders had
ever leveraged it to subvert elections...

Wyden says he’s still waiting for ES&S to respond to the outstanding questions he sent the company in March. “ES&S
needs to stop stonewalling and provide a full, honest accounting of
equipment that could be vulnerable to remote attacks,” he told
Motherboard. “When a corporation that makes half of America’s voting
machines refuses to answer the most basic cyber security questions, you
have to ask what it is hiding.”

In the Netherlands, some techies showed that they could remotely read votes being cast on voting machines during an election, after the government said is was impossible. After that made the news, the Netherlands went back to voting with paper and pencil. And it still does, despite the government really wanting to go back to electronic voting.

The only argument for electronic voting seems to be that votes need to be counted faster. Can't we really wait a night?

"Tai-wiki-widbee" is an eclectic mix of trivialities, ephemera, curiosities, and exotica with a smattering of current events, social commentary, science, history, English language and literature, videos, and humor. We try to be the cyberequivalent of a Victorian cabinet of curiosities.

The 2008 Weblog Awards

Category: Best New Blog

Translate

Search TYWKIWDBI

About Me

I'm using an old photo of my grandfather as an avatar; he would have been amused.
Readers - especially old friends, classmates, students, former colleagues, and long-lost relatives - are welcome to email me via retag4726 (at) mypacks.net